Linear Temporal Logic and Propositional 
Schemata, Back and Forth* (extended version) 



Vincent Aravantinos, Ricardo Caferra, Nicolas Peltier 

Laboratory of Informatics of Grenoble (CNRS, Grenoble INP) 
Batiment IMAG C - 220 rue de la Chimie 38400 Saint Martin d'Heres 
{ Vincent. aravantinos, ricardo. caferra,nicolas.peltier}@imag.fr 



Abstract. This paper relates the well-known formalism of Linear Tem- 
poral Logic |Pnu77| with the logic of propositional schemata introduced 
in |ACP09| . We prove that LTL is equivalent to a particular class of 
schemata in the sense that polynomial-time translation algorithms exist 
from one logic to the other. Some consequences about complexity are 
given. We report about first experiments and the consequences about 
possible improvements in existing implementations are analyzed. 



1 Introduction 

Linear Temporal Logic (LTL) is a very well-known logic introduced in |Pnu77) 
for verifying computer programs. It is widely used to reason on finite state tran- 
sition systems. On the other hand, propositional schemata have been introduced 
in |ACP09 j . They extend the language of propositional logic with indexed propo- 
sitions (such as pn, pi or Pi+i) and iterated connectives of the form ViLo '^^ 
AiLo 9^- Notice that n denotes a parameter, which must be interpreted as a natu- 
ral number. If arbitrary expressions for indices and iterations are allowed in the 
schema, then the satisfiability problem is undecidable, but we have identified in 
[ACP09IACP10alACPll| some subclasses for which this problem is decidable. 
The simplest of these classes is called regular: it is defined by restricting both 
the indices of the propositions, that must be of the form fc or n -I- where fc G Z 
and n is a variable, and iterations, that must be non-nested and of the form 
/\'\=k where n is a variable and k,l £ Z. Decision procedures are designed in 
[ACPOQIACPlOaj and an implementation is available |ACP10c| . 

LTL and propositional schemata share many common features and trying to 
compare them precisely is a rather natural and, hopefully, fruitful idea. In both 
logics, interpretations can be viewed as arrays of propositional functions and the 
formulae relate the values of these functions at different states. The indices of 
the propositions in the schematic case may be viewed as the time in LTL. Thus 
comparing the expressing powers and complexities of those two logics, and, if 
possible, defining translations from one logic to the other is a natural and po- 
tentially rewarding issue. Notice that there already exist several results relating 
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LTL to other formalisms like monadic second order logic via Biichi automata 
|WVS83| . monadic first order logic over natural numbers [GPSSSO] or star- free 
regular languages [Tho79]. However, there is a fundamental difference between 
these languages and the logic of schemata: they deal with infinite objects (infinite 
interpretations in the case of LTL or first order logic over natural numbers, infi- 
nite words in the case of star- free regular languages), whereas schemata deal with 
intrinsically finite (but unbounded) interpretations. This subtle but important 
difference introduces difficulties in the definition of such translations. This topic 
bears some similarities with the approach of |CNP94) where problems on Biicchi 
automata are reduced to problems on finite automata by using the ultimately 
periodic property of w-regular languages. 

Note that finite interpretation is sometimes a desired feature: restricting LTL 
to finite traces has been considered in [EFH+03], and has applications in, e.g., 
planning or runtime verification [BK95 BM06 B H10| . It can be argued that the 
use of LTL in such contexts is a bit overkilling. Indeed, often, rather than con- 
sidering finite traces per se, the preferred approach is to turn them into infinite 
traces by infinitely repeating the last state. It seems to us that it would be more 
natural to use schemata for such applications. In the present work, it is shown 
that doing so entails no loss in expressive power. 

In the present paper, we show that LTL is equivalent to a particular sub- 
class of regular schemata, referred to as sequential. More precisely, we define 
functions effectively translating formulae from one logic into the other and show 
that this transformation preserves satisfiability. We believe that these results are 
interesting from a theoretical perspective since they provide useful information 
about the expressive power of the respective formalisms. Furthermore they al- 
low to import the complexity results of LTL into schemata. From a practical 
point of view, the existence of a polynomial reduction from a class of propo- 
sitional schemata into LTL allows one to benefit from the many existing effi- 
cient decision procedures for this logic (tableaux methods, e.g. [Wol85 Sch98) . 
resolution-based methods, e.g. |FDP01| . or reductio ns to mod el checking, e.g. 
|RV07IDWDMR08 ]1. implementations f BHS98IHK03lCCG+02IDWDMR08| and 
experimentation tools [GIILS05J. Conversely, the reverse reduction might give 
further ideas for the design of new techniques to decide LTL satisfiability. In 
particular, since a DPLL-based procedure exists for regular schemata jACPIOa] . 
it might help to design such a procedure for LTL. On another hand, this re- 
duction is very reminiscent of the translation from LTL to propositional logic 
encountered in bounded model checking (BMC) [BCC+OS j. Contrarily to BMC 
however, our reduction is complete., it might thus give new ideas to achieve com- 
pleteness in BMC. 

The paper is structured as follows. In Section [2] we define LTL and the logic 
of propositional schemata. In Section[3]we show how to relate the interpretations 
of both formalisms. A polynomial algorithm transforming any sequential schema 
into an equivalent LTL formula is presented in Section^ and Section[S]tackles the 
reverse translation, i.e. from LTL formulae to schemata. Section [6] presents the 
results about first experiments with those translations and sketches the possible 
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improvements inspired by those experiments. Section [7] presents pros and cons 
of each logic, and make a very informal comparison of how LTL procedures 
behave on schema modulo the given translation, and, conversely, how schemata 
procedures behave on LTL formulae. Of course, with the given translations and 
the usual reduction of model checking to satisfiability, one can do model checking 
with schemata. Section |8] gives an example of such model checking. Finally, 
Section El briefiy concludes our work. 

2 Definitions and notations 

In the following, (f),4>i,4'2 denote LTL formulae, s,si,S2 denote schemata, a 
denotes an LTL or propositional interpretation, 3, 971 denote schema interpreta- 
tions, e,f,g denote (Presburger) arithmetic expressions, n,i denote arithmetic 
variables (n will be used for a free arithmetic variable ("parameter") and i for 
a bound one) . Remark that n , i are written in sans serif in order to distinguish 
them from meta variables denoting natural numbers, that will be written n,i. 

Both LTL and schemata have propositional logic as a common basis. Further- 
more, in both languages, propositional variables are accompanied with a natural 
number (an instant in the case of LTL, an index for schemata). So instead of 
defining, as in classical propositional logic, an interpretation as a function map- 
ping each propositional variable to a truth value, we rather define interpretations 
as functions mapping pairs of propositional variables and natural numbers to 
truth values. Formally: 

Definition 1. Let V be a set of propositional variables. A propositional inter- 
pretation over V is a function from V x N to {true, false}. 

Example 2. Let V — {p, q}. Then cr s.t. a{p, 0) = true, a{q, 0) = false, a{p, 1) = 
false, cr(g, 1) = false, cr(p, 2) = true, <7{q, 2) = true, and, for any fc > 2: a{p, k) = 
true and <t(ci, k) = false, is a propositional interpretation. 

An interpretation a is represented by the set of all pairs (variable, natural num- 
ber) that are true in a. Most of the time we do not need to make that set explicit. 
For instance, when interpreting a given formula 0, it will be implicitly assumed 
that we consider only interpretations over sets that contain the variables of <f>. 

2.1 LTL 

We now recall the syntax and semantics of LTL. 

Definition 3. The syntax of LTL formulae over the set of propositional vari- 
ables V is given by the following grammar: 



T I 7? I (/) A I X(/) I (/)U0 
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X0 means that holds at the next instant ("X" for neXt). (pVip means that 4> 
holds until ip holds ("U" for Until). We will also use the following abbreviations: 
F(j) = TU0 and G(j) = -F^(f>, meaning respectively "0 eventually holds" and "0 
always holds". The abbreviations V, =J> and <^ are defined as usual (the naive 
elimination of is exponential but it can be made linear by using renaming of 
subformulae as usual, which preserves satisfiability). See [Pnu77] for details. 

LTL formulae are usually interpreted over infinite paths in a transition sys- 
tem, together with a labelling that maps every state to a set of propositional 
variables. Such sequences are often called computations or behaviours. We will 
simply call them LTL interpretations. For uniformity, we define formally an LTL 
interpretation as a propositional interpretation in the sense of Definition [T] (we 
do not make explicit the notions of states, transition systems and labelling). 

Example 4- The interpretation {p, q} {p} — > {q} {p, g} ^> {}—>{}—>■.. . 
is formally represented as the function a s.t. 



a{p,0) 


= true 


a{q,0) 


= true 


^(P, 1) 


= true 




— false 


^(P,2) 


= false 


'T(g,2) 


— true 


a{p, 3) 


= true 


cr(g,3) 


= true 


ct(p,4) 


= false 




— false 



Then a{t) denotes the set of variables p that are true at time t, i.e. such that 
{p,t) £ a (in the previous example, cr(0) = {p,q}, cr(l) = {p}, etc.). The satis- 
faction relation of an LTL formula under such an interpretation a is defined 
w.r.t. an instant t, written a^t \= (p. This means that the formula </> holds at time 
t. 

Definition 5. Let (j) he an LTL formula, a he a propositional interpretation and 
t G N. The relation (7,t \= (/) is inductively defined as follows: 

a,t^T 

cr,thP ilf {P, t) ea 
a,t ^ ^(f) iff a,t ^ (p 

a,t \^ (pi A (j>2 iff '^jt \= 01 o,''T'd <J,t\= (p2 
iffa,t + l^dp 

CT, t 1= (pi\J(p2 iff 3k e N S.t. Vi e N,i < k ^ a,t + i ^ (f)i and a,t + k \^ (f)2 



The notation i \= <p means that (p is true in o at time 0. 
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A fundamental property of LTL is the "ultimately periodic model property". 
Namely, if an LTL formula is satisfiable, then it is satisfiable on some ultimately 
periodic interpretation. 

Definition 6. An ultimately periodic ("UP") interpretation is an LTL interpre- 
tation a s.t. there exist fc, Z G N s.t. I > and for all m > k, a^m) — a{m + I). 
The sequence (t(0) . . . cr(fc — 1) is the prefix of a and aik) . . . a(k + / — 1) its loop, 
k is the prefix index and I is the period. 

Theorem 7 ((SCSSj). Any satisfiable LTL formula has a UP model. 

This important result allows to focus exclusively on finite sets of instants. Indeed 
it is sufficient to give the values of a UP interpretation for time to k + l. Other 
values until lu can then be computed. 

Example 8. Figure [T] represents a UP model of G¥p. 



{} ^ {p} ^ {} ^ {p} ^ {} 
Fig. 1. A UP model of GFp 



2.2 Schemata 

We now recall the syntax and semantics of schemata (for simplicity, the consid- 
ered definitions are slightly more restrictive than the ones of |ACP09| ). Let £ 
be the set of Presburger arithmetic expressions, i.e. terms built over a countably 
infinite set of arithmetic variables X and on the signature containing 0, succ, 
+ and possibly all the constant symbols in P^. As usual a term is ground iff it 
contains no variable. Notice that every ground expression will be considered the 
same as the natural number it represents. 

Definition 9. The syntax of schemata over the set of propositional variables V 
is given by the following grammar: 

n-l 

s ::— T I pe I ~'S I s A s I s 
i=o 

where p € V, e € £ and i, n £ A". \/"Zq s is defined as ^s and V, and 

are defined as usual. 

^ Such constants may be encoded in unary, as terms of the form succ''(0) but also 
in binary, as sequences of digits. As we shall see, the choice between the two en- 
codings has a significant influence on the complexity of the translation: polynomial 
translation of schemata into LTL is feasible only if numbers are encoded in unary. 
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Example 10. po A /\"^q{p; Pi+i) A -^Pn and /\"^q p; A V"=o^ schemata. 

Remark 11. This definition is less general than the one originally introduced 
m |ACP09 j because aU integers occurring in the schema must be positive (we 
consider Presburger arithmetic instead of linear arithmetic). This was not the 
case in |ACP09| . but it is easy to check that both formalisms have exactly the 
same expressive power. Furthermore the iterations are here restricted to go from 
to n — 1. Once again this is not restrictive w.r.t. to the expressive power, 
but it allows to get rid of tedious additional restrictions that would be needed 
otherwise. 

Schemata of the form pe are called indexed propositions^ and those of the form 
Ah=o^ s are called iterated conjunctions or simply iterations. The variable i is 
hound in f\^^Z^ s. The essential point of schemata is that iterations are sym- 
bolic expressions: n is a formal variable, called a parameter, not a meta variable 
denoting any number. From now on, we assume that all schemata have only 
one parameter called n. This is not restrictive for the scope of this paper (see 
lAMEPlOj '). 

A schema is interpreted by first giving a value to the parameter - which 
gives raise to a propositional formula (j), called an "instance" of the schema - and 
then by giving a value to the propositional variables of (j). Note that a schema 
has an infinite set of instances. If s is a schema or an arithmetic expression, i 
is an arithmetic variable and e is an arithmetic expression, then s[e/i] denotes 
the expression obtained from s by replacing every free occurrence of i by e. Note 
that, if e is ground and s is an arithmetic expression containing only the variable 
i, then s[e/i] is a ground arithmetic expression, i.e. a natural number. Then: 

Definition 12. Let s he a schema of parameter n and m G N. The instance o/ 
s w.r.t. m is the propositional formula (s)m inductively defined as follows: 

{Pe)m — Pe[m/n] 

{^S)rn — -'(«),„ 

(Si A S2)m = {Sl)m A {s2)m 
n-1 

(A - T */™ = 

i=0 

n-1 

(A (s[0/i])m A ... A {s[m - l/i])m otherwise 

i=o 

Example 13. 

n-1 

(Po A A (Pi =^ -Pi+l) ^ ^Pn)o = Po A -.po 

i=0 
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n-1 

(Po A /\ (pi ^ pi+i) A -.pn)i = Po A {po Pi) A ^pi 
i=o 

n-1 

{Po A /y (pi ^ Pi+i) A -■Pn)2 = Po A (po Pi) A (pi ^ P2) A ^P2 
i=0 

etc. 

An instance is a usual propositional formula except that each variable is indexed 
with a natural number. So we just need a propositional interpretation to interpret 
this formula as usual: 

Definition 14. Let cf) he a propositional formula whose variables are indexed by 
natural numbers, and a a propositional interpretation. Then a \= (f) is defined as 
usual by induction on the structure of <f) with the exception that, for any indexed 
propositional variable Pk, \^ Pk iff (p, k) E a. 

We thus define a schema interpretation as a pair consisting of a propositional 
interpretation and a natural number. 

Definition 15. A schema s is true in a schema interpretation (cr, n) iff u \= 
{s)„. We also use the notation \= for schemata: J \= s iff the schema s is true 
in the schema interpretation 3. 

Example 16. po A AlLo'lPi ^ Pi+i) A ~^Pr\ is unsatisfiable (see its set of instances 
in Example [T51) as well as All^o^Pi A Vrf)^ ~'Pi' Po ^ N\=a^P'' ^ Pi+i) is satisfiable. 

The satisfiability problem for schemata is undecidable in general [ACP09]. 
However various decidable classes are investigated in |ACP09I ACP lOafACP 1 1) . 
In the following, we will focus on the translation of LTL from/to "sequential" 
schemata: 

Definition 17. A schema is a sequential propositional schema ("SPS") iff all 
the following conditions hold: 

— it contains no nested iteration (iterations in the scope of another iteration); 

— every index of a variable outside an iteration is of the form k or n + k, where 
fc e N and n is the parameter; 

— every index of a variable inside an iteration AiLo^ * form \ + k, where 
fc G N. 

Example 18. po A AiTo^CPi ^ Pi+i); Po A AiTo^lPi =^ Pi+i) A ^Pn and AiTo^Pi A 
ViTo ^Pi are SPS; AiLoPi A ViLo ^Pi' P2n A AiTo Pi' AiTo P2n, and AlTo P2i are 
not. 

Informally, an SPS represents a structure which is sequentially repeated, n be- 
ing considered as the length of the sequence. SPS belong to the class of "regu- 
lar" schemata, for which the satisfiability problem is proved to be decidable in 
|ACPn9j . 
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3 Translating interpretations 

In the next sections we will provide translations of LTL formulae into SPS and 
conversely. Some semantic translations underlie those syntactic ones. We make 
them explicit now in order to give preliminary insights. 

3.1 From schemata to LTL 

Consider a schema interpretation (cr, n). Given a schema interpretation (cr, n), 
its first component a can already be considered as an LTL interpretation, but 
we still need to represent the second component n. This is done by using special 
LTL interpretations (which are also prepositional interpretations) called "initial 
segments": 

Definition 19. Let a he a propositional interpretation over a set of variables 
v. a is an initial segment of length /c G N for some p E V iff {p,t) G a when 
t < k, and (p, t) ^ a otherwise. 

Example 20. Figure [2] provides a graphical representation of an initial segment 
of length 4 for p. 

initial segment 



{p, q] ^ {p} ^ {p} ^ {P, 9} ^ {?} ^ {q} — 

Fig. 2. Initial segment of length 4 for p. 

The key feature of initial segments is that they can be put in correspon- 
dence with natural numbers. Namely, we can associate a canonical initial seg- 
ment to every natural number and a natural number to every initial segment. 
This correspondence allows us to define the following transformation for schema 
interpretations : 

Definition 21. Let V be a set of propositional variables and let "t < n " "P be 
a propositional variable. Let 3 = (cr, n) be a schema interpretation over V . Then 
[[3JJ is the propositional interpretation (and thus also an LTL interpretation) 
over P U {t < n} which is an initial segment of length n for t < n and which is 
defined as a over V . Conversely, [[-J]"^ is the function that maps every initial 
segment a of length n for t < n to the schema interpretation (r, n) where r is 
the restriction of a to V. 

Example 22. Let 3 be the schema interpretation ({po, 'Z0;?'i;?'2, 93}, 3). Then 
PI = {p,(Z,t< n} ^ {p^<n} {p,t< n} ^ {g} ^ {} ^ {} ^ . . . Con- 
versely, let a be the LTL interpretation {q,t < n} — )■ {5, t < n} — >■ {p, t < n} — >• 
{p,(j,t < n} ^ {p} ^ {p} . . . , then |[ct]J"^ = ({go, 9i,P2, Pa, 93,^4,^5, •■•}, 4). 
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The map [[.Jj is a bijection between schema interpretations over V and initial 
segments over U {t < n}. Indeed, is its inverse. 

Remark 23. An important difference between schemata and LTL is the fact that 
all interpretations of schemata are finite^ whereas those of LTL are infinite (i.e. 
time is unbounded). Initial segments thus allow us to simulate finite models in 
LTL. 

Finally notice that the set of initial segments can be specified in LTL as follows: 

Proposition 24. Let (f)^^" he the following formula: 

^t<n ^ n)UG(-t < n) 

Then an LTL interpretation is a model of t/)^" iff it is an initial segment for 
t < n. 

Proof. An interpretation is a model of (j>^^" iff it makes t < n true until ^t < n 
always holds. Let us write k for the first instant where t < n does not hold. Then 
this is equivalent to say that t < n holds at time t iS t < k. □ 

We can also specify a proposition eq" that is true only at time n. This is axiom- 
atized by: 

Axt^n = G(t < n A -X(t < n) ^ X(eq")) A (-t < n 4=» eq") 
To improve readability, eq" will be written t = n. 

Proposition 25. Let a he an initial segment for t < n o/ length n s.t. a,0 \= 
Axt=n- Then a,t \^ t ^ n ifft — n. 

Proof. By definition, t < n holds at time < iff < < n. If rt = then t < n never 
holds, in particular, t < n does not hold at time 0. Since a ^ Axt=n, o- satisfies 
its second conjunct, and as t < n does not hold at time 0, eq" (i.e. t — n) holds 
at time 0. Furthermore, since a satisfies the first conjunct and t < n never holds 
again, < = n is never satisfied again. Suppose now n ^ 0, then there is indeed 
at least one instant s.t. t < n holds. Thus t < n holds at time n — 1 and not at 
time n, which corresponds precisely to the first conjunct of Axt=n- Furthermore 
n is the only instant with this property hence the result. □ 

3.2 From LTL to schemata 

The inverse translation is harder: embedding LTL into schemata means that 
we must represent the infinite interpretations of LTL using only schema inter- 
pretations, which are finite. Of course this is impossible in general. However, 
as we are concerned with satisfiability, we can make use of Theorem [7] and re- 
strict ourselves to UP interpretations. Since such interpretations can be finitely 
represented, we will be able to embed them into schema interpretations. The 
representation of UP interpretations within schemata is achieved via particular 
schema interpretations called "2-initial segments": 
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Definition 26. A schema interpretation 3 — (cr, n) is a 2-initial segment for a 
propositional variable p iff there exists k < n s.t., for every I £ {0, . . we 
have {p,l) G (7 <^ I < k. We call k the short length of J and n + 1 is its long 
length. 

Example 27. The schema interpretation ({po,Pi,P2}, 5) is a 2-initial segment 
w.r.t. p{see Figure[3]). Its short length is 3, its long length is 6. 



01 

short segment 
01 -= 12 



long segment 



A 



Po 



Pi 



P2 



-1P4 



^P5 



Fig. 3. 2-initial segment of short length 3 and long length 6 for p. 



We call this a 2-initial segment because two initial segments are characterized: 
{0, . . . , fc — 1} (characterized by 3) and {0, . . . , n} (characterized by n). Notice, 
however, that the segment {0, . . . , fc — 1} is characterized by p only below n, i.e. 
the value of p is not specified above n. This is not a problem since we will not 
need such values in the translations. 

The notion of 2-initial segment is useful because, much in the same way in 
which initial segments correspond to natural numbers, 2-initial segments corre- 
spond to pairs of different natural numbers. We can now define the following 
transformation for UP interpretations: 

Definition 28. Let a be a UP interpretation of prefix index k (i.e. the loop starts 
at time k) and of period I over a set V, and let "pfx" ^ V be a propositional 
variable. Then [[cr]] is the schema interpretation (r, fc + Z — 1) where r is defined 
as an initial segment of length fc for pfx and preserving the value of a on V . 

Example 29. Let a be the UP interpretation of prefix index 2 and period 3 
(totally) defined by: {p, g, r} — >■ {p} — > {g, r} {p, q) {q, r} Then [fcr]] = 

({pfXO;-PO, go, ''0,pfXi,Pl, 92,^2,^3, 93, 94,^4}, 4). 

Remark 30. The map [[.]] embeds the prefix index and the period inside schema 
interpretations, but it is impossible to specify the fact that an interpretation is 
a UP interpretation: indeed this would require to express that the interpreta- 
tion loops indefinitely. Such a specification of an "infinite" behaviour cannot be 
achieved with schemata. This will not be a problem in the following because, 
when focusing on a given LTL formula, one only needs to specify this behaviour 
in the range {0, . . . , fc Z — 1}. 

For similar reasons, [[.]] is not a bijection in general, unlike [[.JJ. It is actually 
a bijection between UP interpretations and 2-initial segments if we restrict the 
latter to the values assigned to variables whose index is between and fc -|- ^ — 1. 



Linear Temporal Logic and Prepositional Schemata, Back and Forth 



11 



This will indeed be the case in our reduction since, as just explained, we will not 
need the values for other indices. Then [f.]]"^ is defined as follows: 

Definition 31. Let (cr, n) be a 2-initial segment for pix. Then [[cr, n]]""'^ is de- 
fined as the unique UP interpretation such that: 

— its prefix is the set of instants s.t. pfx holds in 3; 

— its period I is n — k + I, where k is the prefix index; 

— for all p ^ pfx and all t < n, {p, t) € [[3, n]]"^ iff {p, t) e 1. 

Example 32. Let 3 = ({pfxo,po,pfxi,Q'i,P2,P3,53},3). Then [[3]]"^ is the UP 
interpretation of prefix index 2 and period 2 defined by f[3]l~^ = {p) {q} 
{p} {p,q} . . . where the contents of the dots can be retrieved by the UP 

property of the interpretation. 

Finally. 2-initial segments can be specified using schemata: 
Proposition 33. Let be the following SPS: 

n-l 

sf i^^-pfx„A/\(pfxi+i^pfxi) 

i=0 

Then a schema interpretation is a model of iff it is a 2-initial segment for 
pfx. 

Proof. Let 3 = {a, n) be a model of s^^''. For any A; G N s.t. pfxj. holds, pfx^., holds 

for every k' < k, because a satisfies the second conjunct of s^^'^. Furthermore 
there is a maximal such k <n , because pfx^ cannot hold at time n, by the first 
conjunct. Hence 3 is indeed a 2-initial segment. 

Conversely, let 3 = {a, n) be a 2-initial segment for pfx of short length k. 
Then, for every / e {0, . . . , n}, pfx; holds iff Z < A;. Since k < n, pfx„ cannot hold, 
hence the first conjunct is indeed satisfied. Furthermore for every / e {0, . . . , n}, 
if pfx;_|_i holds then pfx; holds, hence the second conjunct is satisfied. □ 

The beginning of the loop can be referred to by using a prepositional vari- 
able eqf^, intended to be true only when i is equal to the prefix index k of the 
interpretation. This can be axiomatized as follows: 

n-l 

Axi=fc = (^pfxo ^ eqg) A /\ (pfx; A -pfxi+i <^ eq^+i) 

i=0 

To improve readability, cqf will be written "i = k". 

Proposition 34. Let 3 be a 2-initial segment of short length k for pfx s.t. 3 \= 
Axi=fe. Then, for every i S {0, . . . , n}, 3 \= eq^ iff i = k. 

Proof. If fc = 0, then 3 y= pfxg hence i ^ eq§, by the first conjunct of Axi=fc. 
Furthermore 3 ^ eqf^;^ for any i G {0,...,n — 1} because pfx^ does not hold 
and by the second conjunct of Axi:^^. 

If /c > 0, then 3 \= pfxfc_i and 3 ^ pfx^. hence, by the second conjunct, 
3 1= eq^ . Furthermore, no other instant I between and n has the property that 
3 1= pfx;_i and 3 ^ pfx;, hence the equivalence. □ 
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4 Embedding SPS in LTL 

We now show how SPS can be translated into LTL: given an SPS s, we build 
an LTL formula [sj which is satisfiable iff s is satisfiable. Then we show that 
the size of [s\ is polynomial or exponential w.r.t. the size of s, depending on the 
encoding of natural numbers (in the arithmetic expressions occurring in s). As 
LTL satisfiability is in PSPACE, we can thus conclude that the satisfiability of 
SPS is also in PSPACE when numbers are encoded in unary. 

4.1 The [.J transformation 

The main desideratum of [.J is that for every model 2Jl of an SPS s, the interpre- 
tation [[SOtJj (Definition [?T|) is a model of [s\ . An example is shown on Figure S] 
(we represent LTL interpretations as sequences of sets of propositional variables, 
instead of sets of pairs (variable, number), as they are formally defined; similarly, 
schema interpretations are represented as the set of true indexed propositions). 



({P0,Pl,gi,P2,l73},2) 



{p, t < n} ^ {p, g, t < n} ^ {p} {q} 



L.J 



A:Lo(piV*) ■■■■ - LA;Lo(PiV*)J 



Fig. 4. Specification of [.J : example. 



By Proposition [24l every interpretation such that (defined in Propo- 

sition [24|) holds is an initial segment of length n for a propositional variable 
"t < n". Furthermore, Axt=n (defined after Proposition enables to use the 
variable "t = n". Our translation thus includes those formulae. 



Definition 35. Let s be an SPS. Then \_s\ is an LTL formula defined as \_s\ 
L^Jprop ^ '^<^" ^ Axt=n where [sjpj.^p is inductively defined as follows: 



L~^J prop 



T 



bfcJprop 



bn+fcJp,op = G(t 



bi+fcJprop 



prop L J prop 



XV) 



[si ASzJprop = J prop A ^2] 



n-l 



^=^G(t<n^ bJp,op) 
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where fc G N, i / n, and X'=(/) = X_^( 

xk 



Po ^ AUoiP' =^ Pi+i) ^^P" = P A G(t < n p 



Example 36. We have: 

Xp) A -iG(t = n => p) A <j)lf-" A Axt=n- Notice that it would be equivalent to have 
p A G(t < n ^ p ^ Xp) A G(t = n ^ -ip) A A Axt=n because t = n holds 
at only one moment. This variation is interesting because it does not introduce 
any eventuality, and is thus easier to handle for LTL decision procedures. It can 
be geireralized, e.g., by putting every schema into n.n.f. before the translation, 
and then by defining a dedicated case for negative literals. 

Figure 2] can now be updated into Figure [S] 



({Po,Pi,'7i,P2,(73},2) — — *- {p,t < n} ^ {p,q,t < n} ^ {p} {q} 



Ar=o(Pi V *) G(t < n ^ (p V g)) A A Axt=„ 



Fig. 5. Big picture for Ah=o(Pi ^ 9i) ^^"^ '^^^^ °f i^'' models. 



4.2 Soundness and completeness of [.J. 

Theorem 37. Let s be a SPS. Then [[.JJ is a bijection between the models of s 
and the models of \_s\. The inverse bijection is W_.\\^'^ (Definition \21\} . 

This result is more interesting than just "s is satisfiable iff [sj is satisfiable". 
Indeed, irot only does it provide more insights about the translation, but it also 
makes explicit the iirverse transformation for interpretations, which is useful for 
model building. 

Proof. Notice that [[.JJ^^ is well defined because every model of [sJ is an initial 
segment by Proposition [24l We still have to prove the following: 

1. for every model 971 of s, [[9JTJJ is a model of [sJ ; 

2. for every model a of [sJ, [[crJJ^^ is a model of s. 

In the following, 9JI is a model of s, n is the value given to n by 9Jl, cr is a model 
of [sJ and I is the length of [sJ (as an initial segment of t < n). Notice that, by 
definition, [[971 JJ coincides with the propositional part of 9Jl on any propositional 
variable other that t < n. Similarly, a coincides with the propositional part of 
[[crJJ"^ on any propositional variable other that t < n. 

We prove both properties simultaneously by induction on [sJp,.op: 
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— Suppose s ^ pk, where fc e N. Then M \= s impUes {p, fc) e 971 C [[971JJ and 
by a straightforward induction on k this implies that [[9JIJJ ^ X'^p which 
proves [TJ For [21 suppose that a \= [sj, i.e. a \= X'^p. This easily entails that 
{p, k) e cr, thus [p, k) e l[crJJ"^ and so ^ pfc. 

— Suppose s — ptx+k- Then |= Pn+fc means that {p,n + k) e 971 C [[9HJJ. 
Consequently, X'^p is true at time n. Finally, by Proposition [25l t = n is true 
only at time n in [[971 Jj. Thus, at any time when we have t = n, we have 
X'^p; i.e. we have t = n ^ X'^p at any time; i.e. we have G(t = n => X'"'p). 
This proves [TJ For [21 suppose a \= [sJ, i.e. a \= G(t = n => X'^p). Thus for 
every t £ N, t = n X'^p is true at time t in a. But we know that t = n is 
true only at time / (the length of [sJ). Thus p is true at time I + k. Hence 
(p, I + k) G a, thus (p, I + k) Q [["'Jl^^! a-nd since the value of n in [[crjj"-'^ is 

^> |=Pn+fc- 

— The case s ~ p\+k is handled in the iteration cases (Lemma [35]). 

— Suppose s — -^s'. For[Tl if 971 |= s then 971 ^ s' . But, as [[.Jj~^ is the inverse 
of li.JI, 971 = [[([[97lJJ)JJ-i. Thus [L(|i97lJl)Jl-i ^ s'. By induction hypothesis, 
[21 holds for s', thus, by contraposition; [[97tJJ ^ [s'J. Consequently, [[971 JJ ^ 
- [s'J . ForH suppose cr ^ [sj,i.e. ct h ^ b'J- Thusa ^ [s'J, i.e. [[[[aJJ-^JJ [^ 
[s'J. By induction hypothesis, [l] holds for s', so, by contraposition: [[crjj"^ [^ 
s'. Thus h 

— Suppose s = si A S2. For[Tl if 97t ^ s then 971 ^ si and 971 [= S2 and one 
easily concludes by induction. For [21 if ct [= [sJ, i.e. a ^ [sij A [S2J, then 
CT \= [sij and CT \= [S2J and one can also conclude by induction. 

— Suppose s — AiLo fi'^^t prove the following intermediate lemma: 

Lemma 38. For every initial segment a of length I, and every t < I: a \= 
[s'[</i]J iff [s'J holds in a at time t. 

Proof. We prove both implications simultaneously by induction on the struc- 
ture of s': 

• Suppose s' = pi+fe; thus [s'J = [pi+fcj = X'^p, and [s'[t/i]J = [pt+fej = 
X*+*''p. For the first implication, assume that ct ^ [s'[t/i]J, i.e. ct \= 
X*+'^'p, which is equivalent to p e J^97lJJ(t + fc). It is equivalent to say that 
X'^'p, i.e. [s'J , is true in ct at time t. This proves the first implication, 
and also the second as all reasoning steps are equivalences. 

• As s is strictly bound, there are no other base case (this is precisely why 
this restriction is essential). 

• Suppose s' = -s": then [s'J = - [s"J and [s'[</i]J = ^ [s"[i/i]J. 

For the first implication, assume that ct [= [s'[t/i]J, i.e. ct ^ -1 [s"[t/iJJ. 
Thus CT [^ [s"[i/i]J ■ By the reverse implication of the induction hypothe- 
sis (more precisely by its contraposition), this means that [s"J does not 
hold in CT at time t. Consequently, -'[s"J holds in ct at time hence the 
result. Once again, the second implication is obtained by just reversing 
the reasoning. 

• The proof for the conjunction case is routine. 

• As the schema is sequential, iterations cannot be nested, thus s' cannot 
contain an iteration, hence there are no more cases. () 
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Now we can get back to the iteration case of the main proof. ForfTJ if 9Jt ^ s 
then dJl 1= s'[t/i] for every i G N s.t. < i < n by definition of schemata 
semantics. And thus, by induction hypothesis, [[SHJJ \= [s'[t/i]J for every 
such t. By Lemma [551 this means that [s'J is true in [[9JtJj at any time t s.t. 
< t < n. From the semantics of LTL, it is obvious that t > so it is enough 
to say that [s'J is true in [[StJlJj at any time t < n (notice that this would 
not be so simple if the schema was not simply iterated) . This is equivalent 
to say that t < n [s'J is true at any time, hence the conclusion for[T] 
For [21 suppose that a \= [s\, i.e. a |= G(t < n [sj). Then, by definition 
of LTL semantics, t < n [sJ is true in a at any time. Furthermore t < n 
is true only at time I or below, hence [sJ is true in a at any time less or 
equal than /. We can then conclude using the reverse implication of Lemma 
[38l and the semantics of schemata. □ 



4.3 Consequences. 

We then obviously have the expected result: 

Corollary 39. A SPS s is satisfiable iff [sJ is satisfiable. 

Thus we indeed obtained an embedding of SPS into LTL. Consequently we can 
use any LTL satisfiability solver to solve the satisfiability problem for SPS: we 
simply translate the input schema to LTL with [.J and then launch the LTL 
solver on the output formula. Thus: 

Corollary 40. The satisfiability problem for SPS can be reduced to the satisfi- 
ability problem for LTL. 

Notice furthermore that if the solver finds a model, then we can translate it back 
to a schema model using the inverse translation [[.Jj^^. 

We can easily study the complexity of this transformation. For an object x 
(schema, formula, arithmetic expression), let stand for the size of x in number 
of symbols. Let denote the size of a schema s, in number of symbols, and 
let #ints denote the size of the biggest number occurring in s, expressed w.r.t. 
the size of s. This is to take into account the fact that numbers can be encoded 
either in unary or in binary: if they are encoded in binary then #ints = 0(2^^*), 
but if they are encoded in unary then #ints = 0(#s). It may also happen that 
we consider only schemata whose biggest number is bounded by some constant; 
in such a case, we have #ints = 0(1). This case is worth considering since we 
may easily increase the size of a schema without increasing the numbers that 
occur in it. Then: 

Proposition 41. For every SPS s, we have # [sJ = 0{^s.^ints). 

Proof. First, has a constant size. Then since the construction of [sJpj,Qp is 
by induction on s, there are #s recursive calls. Each of those calls adds a number 
of symbols either constant or proportional to some k gN occurring in s (all the 
cases with "x/c"), i.e. at worst #intS- □ 
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Consequently, [.J is: 

— linear if numbers are bounded by constants; 

— quadratic if numbers are encoded in unary; 

— exponential if they are encoded in binary. 

It is well-known that the satisfiabihty of LTL is in PSPACE |SC85| . thus: 

Theorem 42. The satisfiability of SPS is in PSPACE if numbers are encoded 
in unary or bounded by constants. It is in EXPSPACE if numbers are encoded 
in binary. 

This result improves over the one of [ACPlOb] . where the satisfiability of regular 
schemata is proved to be in EXPSPACE (resp. 2-EXPSPACE), if numbers are 
encoded in unary (resp. binary). Of course Theorem|32]only deals with sequential 
schemata, but both classes are close enough so that we conjecture that the 
satisfiability of regular schemata is also in PSPACE. 

5 Embedding LTL in SPS 

We now tackle the reverse embedding, i.e. we translate LTL to SPS. 

5.1 A first faulty translation: finiteness vs infiniteness. 

We provide a first, intuitive but faulty, translation: 

Definition 43. Let (f> be an LTL formula. Then [0] is a schema defined as \4>~\o, 
where e is inductively defined for any expression e as follows: 

\P^e =Pe 

e = [</>] e 

[X(?!)]e = r^le+l 

n / i-1 

r</>iu</>2ie='V M;A/\rM 

i=e y j=e 

But this is not satisfactory since the obtained schema is not sequential^ and, 
more important, because a valid LTL formula can be translated into a no n- valid 
schema as shows the following example: 

^ Actually this is not even a schema in the sense of Definition [5] since the upper bounds 
of iterations are different from n — 1. Notice that this is neither a regular schema 
[ACP09) since iterations are nested and the upper bound of one iteration contains a 
bound variable. 
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Example 44- 

n 

\Xp^Fp] =pi^ \/pi 

i=0 

The formula Xp Fp is valid, but the schema pi ViLoPi ^'^^ valid (take any 
interpretation where n = 0) . Adding conditions ensuring that n is strictly positive 
is possible, but obviously not sufficient, e.g. we could consider the formula X'^p 
Fp. Then the above translation will work only if n > fc (where k is arbitrary) . 

The deep reason of this problem is that the semantics of schemata are intrin- 
sically finite (though unbounded) whereas those of LTL are infinite. Actually, 
we can consider the previous translation as an indirect way to define "finite 
semantics LTL", i.e. LTL formulae interpreted over functions from {l,...,n} 
to 2^ for any n G N. As explained in the Introduction, LTL with finite se- 
mantics has been studied in the contexts of planning and runtime verification 
[BK95IBM06IBHT0| . But it seems that, rather than considering finite traces per 
se, the preferred approach in those fields is to turn finite traces into infinite ones 
by repeating infinitely the last state. Then the usual semantics of LTL can be 
used. Both systems seem however very similar. 

5.2 A successful translation into non-SPS 

We actually need the ultimately periodic model property (Definition |6] and The- 
orem[7|) to obtain a successful translation, written [.] , of LTL formulae into SPS. 
The aim of [.] is that for every model a of an LTL formula 0, the interpretation 
[[(t]1 (Definition [?T|l is a model of \(t>\ . An example is provided on Figure IHl 



({pfxo.pf'^i^Pi.P3}.4) 



■>- rG(Fp)l 

Fig. 6. Specification of [.]: example. 

Consider an LTL formula 0. As we shall see, we will make use of the schema 
gpfx (Proposition [55]) to enforce the fact that every model of [0] is a 2-initial 
segment. As already exposed, this 2-initial segment is intended to denote a UP 
interpretation of prefix index k and period I (and the parameter n is assigned 
the value fc -f / — 1). Then the translation of (j) (or its subformulae) will be 
parametrized by an arithmetic expression e intended to denote the time (it may 
be either a natural number or a variable, when translating a sub formula of an 
iteration, and it is initially equal to 0). This instant will of course have an 
influence on the translation. In particular it is important to know if this instant 
lies in the prefix of a UP model or in its loop. For the prefix, we already have the 



{} ^ {p} ^ {} ^ {p} ■ 

I 

G(Fp) 



{} 



r-i 
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propositioiial variable pfx. which is specified by s^^'^. But we need to introduce 
a new variable for the loop, say "loopg", that would be true iff e belongs to the 
loop. By definition, this is the case when e G {fc, . . . , fc + Z — 1}, thus we have 
to check that e > k and that e < n. By definition, the first property holds iff 
pfxg does not hold. We thus need to express e < n with a schema, this is done 
as follows: 

Proposition 45. Let (cr, n) be a schema interpretation and e be a Presburger 
expression. Then a \= (ViLe"'")" *if ^I"-/"] ^ 

Proof. Indeed if e[n/n] > n then the iteration is empty, thus (VlLe"'")" ~ 
hence cannot be satisfied by a. Otherwise, if e[n/n] < n then the iteration is 
non empty, thus (VILe "'")« is a non empty disjunction of T, thus equivalent to 
T, hence necessarily satisfied by cr. □ 

Thus we define loopg as follows: 

n 

loopg = -.pfxg A Y T 



Definition 46. Let be an LTL formula, then [</>] is a schema defined as [0] = 
[(/)]o A s^^'^ A Axi=J^ where, for every arithmetic expression e, \(j)]e is inductively 
defined as follows: 

rie = T 

\P^e =Pe 

e = [01 e 
r-^lA^ale^ r0lleAr02le 

n 

rX01e ='(e < n A r0]e+i) V (e = n A /\(i - fc ^ [010) 



i=0 



i^e \ I— e 



loop, A /\ [01] j A V loop, A /\(loopj => [0i]j) A [021: 

j=e i=0 \ j=0 

Example J^l. In the cases of F and G, the translation simplifies drastically. For 
instance (some simple simplifications have been made): 



i=0 



^ s^''' is defined in Proposition |33] and Axi^^ is defined before Proposition 1341 
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n 



[Gplo = /\Pi 



i=0 



This is not so simple if we consider a time t > 0: 



[Fplt ^ypiV [ loopt A \/(looPi Api) 



\=t \ i=0 



[Gplt = /\ A -loopf V /\(loopi ^ -Pi) 




) 



We provide some intuitions on the transformation corresponding to the X 
and U connectives. First, for the X: when computing the next instant, one has 
to take into account the fact that we want a UP interpretation. Thus if e = n 
the next time after e is not e + 1 but fc, where k is the prefix index. This prefix 
index can be specified as the only index i such as loopj A loop|_]^ holds. Second, 
for the U, the first disjunct is very natural: it corresponds to the typical case, for 
instance when time e occurs before the loop. Then, according to the definition 
of the semantics of U, we only have to check that (f>i holds on some interval 
{e, . . . , i — 1} and then that (j)2 holds at instant i. In general i may be arbitrary, 
but since the interpretation is UP, we can restrict to the case where i is in 
the interval {e, . . . ,k + I — 1}, i.e. i < n. The second disjunct is slightly more 
complex. It corresponds to the case where e occurs inside the periodic part of the 
interpretation. In this case, the element i such that (j)2 holds may occur before 
e. Then (/'iU^2 also holds if 4>i holds from e to the end of the loop, i.e. n, and 
then holds again when we "get back" at the beginning of the loop, i.e. from k 
to some i — 1, with 02 holding at i < e. Since i £ {0, . . . , e}, this can be easily 
stated as an iterated disjunction. The fact that i > fc is encoded by stating that 
loopi must hold (i.e. i must be inside the periodic part of the interpretation). 

Remark 48. This transformation might remind the reader of some formulae en- 
countered when dealing with the path model checking problem for UP inter- 
pretations |VG09j . This resemblance can be explained by observing that every 
model of s'^^ is a UP path, and \(j)\e is the operation of model checking the 

specified path. Then, as s^^'' specifies all UP paths, we actually model check all 
possible models, hence the fact that we can conclude about the satisfiability. 

This transformation is sound and complete but the resulting schema is not 
sequential (iterations are nested and their bounds are different from and n — 1). 
Consequently, we present another translation in the next section, which will 
indeed fall in the class of SPS. 

5.3 A successful translation into SPS 

The following translation follows more or less the same goal as the previous one: 
for every model a of an LTL formula </>, the interpretation [[(t]] shall be a model 
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of \(ji\ . Hence it relies again on the UP property. This new transformation uses a 
structure-preserving approach: for each subformula (different from an indexed 
proposition) of the original formula, we introduce a fresh propositional variable 
written |0|. For an indexed proposition p, \p\ = p. Each indexed propositional 
variable < i < n, is then intended to be true iff the subformula (p is true 
at time i. Formally, we extend [[.]] as follows: 

Definition 49. Let a be a UP interpretation and <j) an LTL formula. Then: 

— for every propositional variable of the form \^\ for some subformula ip of (j), 

— for every other variable, [[ct]] is defined as described early on. 

Furthermore, for each subformula of the form (j)i\J4>2, we add another propo- 
sitional variable called \(j)iV(j)2\ (called this way because its behaviour is very 
close to the one of \J) interpreted as true at t N iff there is t' d N s.t. 
t < t' < k + I — 1 where (pi holds between t and t' — 1 and 02 holds at t' , i.e. 
the semantics are the same as for U except that the instant when 02 occurs must 
happen before the end of the loop ( as explained thereafter, this variable is used 
to ensure that the eventuality indeed happens). 

Note that this semantic transformation now depends on the formula to translate. 
The inverse operation is defined as in Definition |31] except that the value of any 
variable is "forgotten". 

The translation is done by adding axioms to compute the values of the newly 
introduced propositional variables (relating these values to the ones of the propo- 
sitional variables originally occurring in the formula). As we shall see, the spec- 
ification of those new variables is straightforward when the head symbol of the 
subformula is a boolean connective: the value of the considered variable can be 
directly related to the values of the variables corresponding to the operands, see 
definition of Ax^^ and Ax0ja02 ™^ Definition 1501 below. 

When the head symbol of the subformula is a temporal connective, we have 
to distinguish whether the index denotes a time lower or equal to n (since the 
interpretation is UP, we only have to consider the time interval {0, . . . , n}). In 
both cases, the value of the considered propositional variable |0| at time i is 
related to the one of the variables at the next instant. If i < n then this next 
instant is easy to compute: it is simply i -I- 1. But if i = n, since the value of the 
variables |0| are specified only on the interval {0, . . . , n} we cannot refer to the 
time n -I- 1 and we have to take advantage of the fact that the interpretation is 
periodic: since n necessarily corresponds to the end of the periodic part, the next 
instant must be the beginning of the loop. This is easily handled in the X case: 
if we have X0 at time n then we must have at time k where k is the beginning 
of the loop. 

In the U case, if we have 0iU02 at time n then we have to deal with the fact 
that 02 might hold after n, between time k and n — 1 (by taking the loop into 
account). In this case we have to check that 02 holds between k and n — 1, and 
that 01 holds in between. This check is triggered by the use of the new connective 
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U', whose specification is thus added to the definition. Intuitively, 4'i\J'4>2 may 
be seen as a connective interpreted as 0iU02, except that the formula 02 must 
hold at the latest at time n (one may wonder why not use directly U instead 
of U'; but this would yield an ill-founded definition: the eventuality could be 
always delayed and never fulfilled). 

Definition 50. Let (f> be an LTL formula. Then [0] is the schema defined as 
=^ ji^lgA^'^As^^'^AAxj^j. where <P'^ stands for l\{Kyi^ | -0 is a subformula of (f)} 
and Ax^ is defined as follows: 

AxT='A|T|i 

i^O 
n 

Ax./=^/\(h0|.^^|0|.) 

i^O 
n 

Ax^,A02 = A^l*^! ^'^2|i <^ |0l|i A |02|i) 
i=0 

n — 1 n 

Axx0 A (iX'^ii ^ i-^ii+i) ^ (ix-^in ^ AO - ^ i-^ii)) 



Ax, 



i=0 i=0 

n-1 

de/ 



A(l0lU02|i ^ |02|i V (|0i|i A |0lU02|i + i)) 



i=0 



A(|0iU02L ^ (I02L V (|0iL A A(i = ^ I'/'iUVsli)))) 



i=o 



A A (l0lU'02|i ^ |02|i V A |0lU>2|i + i)) 

A(Ku'02L^I'^2L) 

where AiLo ^ shortcut for f\"^Q s A s[n/i] (^u;e need to define this as an 

abbreviation so that the schema be indeed sequential) . 

Lemma 51. Let <j) be an LTL formula and rt G N. The instance of [0] w.r.t. n 
contains only variables whose index is comprised between and n. 

Proof. By inspection of all cases in Definition [50l all indices of propositional 
variables in [0] are n, i or i + 1. i is always bound by an iteration whose bounds 
are and n — 1. Consequently the instance of [0] w.r.t. n only contain indexed 
propositional variables whose indices are between and n. □ 

Theorem 52. Let <f) be an LTL formula. Then [[.J| is a bijection between the 
UP models of <j) and the models of [0] (if the latter are restricted to the values 
of propositional variables occurring in the corresponding instance of \4>\). [[-Tl"^ 
is the inverse bijection. 
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Proof. We first prove that the codomain of [[.J| indeed falls into the set of models 
of [0], i.e., for every UP model cr of a formula 0, [[cr]] |= [0]. Let k,l be the 
prefix index and period of a. Note that, by Definition [281 [[o'l] gives the value 
k + I — 1 to the parameter. Then we actually prove the more general result that 
for any t e N, it <7,t ^ <j) then [[o-| |= s^-^'' A A^"^. First, since [[ct]] is a 2-initial 

segment w.r. t. pfx, [[cr]l ^ s^^"". Second, [fcr]] ^ |0|^ by definition (Definition gg]). 
Finally we prove [[cr]] \= <P'^ by proving that [[cr]] |= Ax^ for any subformula ip 
of (/), depending on the head symbol of tp: 

— Assume cf) = T. For any t G N, cr, i |= T, by definition of LTL semantics. 
Thus, by definition of ]'ct]1, [[cr]] [= |T|j for every t. Hence, ]'ct]1 ^ Axy, and 
thus [[cr]] h^"^- 

— Assume = For any t e N, cr, t [= iff cr, i ^ by definition of LTL 
semantics. Thus, by definition of [[cr]], [[a]] \= iff [[cr]] ^ li^lf i-^- 
T'^'ll H IV'lt (this time by definition of schemata semantics). Consequently, 
]'cr]l ^ <^ -1 IV'lj for any t G N, and in particular for t between and 
k + l-l. Thus [[cr]l ^ Ax0. 

— The conjunction cases are similar. 

— Assume that ip — ipi\J(p2- Let i G N be s.t. (T,t \= cf). By the semantics of LTL, 
there exists t' > t s.t. cr, t' [= (/)2 and, for all t" between t and t' — 1, cr, t" ^ 0i. 
Thus either cr, t ^ (/12 or (7,t \^ (pi and cr, t + 1 ^ 0. Hence, by definition 
of ]".]], [[cr]] ^ [(/)2[( or [[cr]] [= [(/)2[f+i and ]'cr]l [= \(t>\t+i, which enables us 
to conclude for the first conjunct of the U case. For the reverse implication, 
suppose [[cr]l ^ \(t>2\t V (|0i|j A [(/>iU02|i+i) for some t e N. If M [= |02|j, 
then it is clear that ]'ct]1 [= |0iU(/)2[f. If ]'cr]l |= A [(/>iU02 l^+i, then by 
definition a,t \^ cpi A 0iU02, thus ]'cr]l [= |0iU(/)2[j. 

For the second conjunct (i.e. the second line; notice that, for the sake of 
presentation simplicity, there is one conjunct per line), assume t ^ k + 1 — 1. 
If cr, t ^ (/)2 then we are done. Otherwise, we have t' > k + I ~l. This means 
that a,k + I \= (/)iU02, which, by periodicity, is equivalent to cr, fc [= (j)i\](f>2, 
and so to a,k \= (j)i\J'(j)2- 

For the third and fourth conjuncts the proof is similar, except that we now 
must ensure that the instant when (j)2 occurs must be lower or equal to k+l — 1. 
This is indeed the case of t' 

— The case of X is similar (but much simpler) . 

We now focus on the inverse transformation. First, [[.]1~^ is well defined: since 
[0] contains s^^'^, every model of [0] is a 2-initial segment. Second, it is easily 
seen that [[([[3]])]]^"'^ ~ 3- Third, [[([[3, n-]l~"'^)]l is well defined since, by definition, 
[[3,n]l~"'^ is UP. Then ]'([[3, n]]^^)]] — (3, tt.), if we restrict to the values of 3 for 
indices below n. However they might differ for indices above n, but, by Lemma 
[5T| variables with such indices do not occur in the instance of [0] by n. Since we 
consider equality among interpretations only up to the values of propositional 
variables occurring in the corresponding instance of , we indeed have the 
intended equality. 

We finally show that the codomain of [[.]1~^ indeed falls in the set of models 
of 0, i.e. that for every model 93t of [0], [[QJl]]^^ \= (p. We shall prove the more 
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general result that, for every t < k + I — 1, where k, I are the prefix index and 
the period of IJOJl]]"^, and every subforinula -0 of if |= sii^'' A iV'lt A tlren 
[[S!Jl]l^^,t 1= tp. By induction on the structure of </>: 

— For T this is trivial. 

— Assume = ^V- Then M \^ s^^"" A \(t)\t A imphes |= and 971 |= 
Ax^^, thus m\= ^ \1p\^, so 9Jt ^ \1P\^. As already shown, = [r([[Wt|-i)]l 
(as far as we consider t < k + I — 1 which is indeed the case here), hence 

^ Hence, by contraposition w.r.t. the previous result in 
this proof, Wdyq-^^t ^ i;. Consequently, h <P- 

— For conjunction the result is routine, using the induction hypothesis. 

— Assume = Xip. Then we have either t<fc + / — lort = fc + / — 1. In 
the first case, one easily gets DJl ^ A |V'lt+i A 'P'^ by the first conjunct of 
Axx^ and concludes by induction hypothesis. In the second case, is 
equivalent to (because, by definition of k + l — 1 is the value given 
to n), so we can use the second conjunct which states that must hold at 
time k. By the UP property, ip also holds at time k + I, i.e. t + 1, hence the 
result. 

— Finally assume = 01 1102 • We have two cases: Either there is some t' 
comprised between t and k + l — 1 s.t. \4>2\t> holds; assume furthermore that 
t' is the smallest time with this property; in this case, |0i | must hold between 
t and t' , by the (iterated application of the) first conjunct of Ax0jU02; 
then just apply the induction hypothesis to conclude. Or there is no such 
t' , in which case |0i| must hold from t to k + I ~ 1, by the same argument. 
Furthermore, since \(p2\t' never holds for t' between t and k + l — 1, the 
iteration AiLoC = ^ =^ l0iU'02li) of the second conjunct also holds in 9Jl. 
Hence 931 |= |0iU'02|fc- Consequently, by the iterated application of the 
last two conjuncts, there must be some t' comprised between k and k + l — 1 
(actually t—1 is sufficient) s.t. 102 1^/ holds, and |0i| holds in between: indeed, 
the last conjunct imposes that |02| must hold at worst at instant n (note: 
this is precisely why U' is needed). The fact that |0i| holds in between is 
due to the similar structure between the two first and the two last conjuncts. 
Finally, by the UP property, the same holds for t' + I, which enables us to 
conclude. □ 

Furthermore it is trivial that #[0] is linear w.r.t. ^0. 

Corollary 53. The satisfiability problem for LTL can be reduced in linear space 
to the satisfiability problem for SPS. 

Theorem 54. The satisfiability problem for SPS is PSPACE-complete if num- 
bers are encoded in unary or bounded by a constant. 

Proof. Consequence of the fact that the satisfiability problem for LTL is PSPACE- 
complete, of the previous corollary and of Theorem |42l □ 

Notice however that this result could be proved in a much simpler way by 
directly encoding a polynomial space Turing machine with SPS. Such a proof 
would be very close to the one of Theorem 1 in |Byl91| . 
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Improvements. For practical efficiency, we can improve over Definition 1501 
We can translate the purely propositional connectives directly, i.e. without ax- 
iomatising them: any occurrence of an atom \T\^ (resp. |~'0|e, resp. \(j)i A 02 le) 
is directly replaced by T (resp. -'If/'lg, resp. A \4>2\e) repeatedly until there 
is no more such occurrence. The same applies to V, and Those are defined 
as abbreviations in the present paper in order to simplify definitions and proofs, 
but it is of course more efficient in practice to translate them directly when 
available as primitive connectives (obviously, this is also true for Definition [35]) . 

Another optimization can be devised by observing that all schemata decision 
procedures ^ACPOQ.ACPlOa) reason by induction on n, i.e. they refute a schema 
for any value of n by reduction to the case n — 1. In our reduction, n corresponds 
to the last instant of the UP interpretation. Consequently, a schema procedure 
applied to a translated LTL formula starts by considering the last instant of the 
interpretation and then going backward. This is counter natural since we try to 
refute a formula at time 0. For instance, an inductive proof is achieved for the 
formula Xp A X-ip even though this is obviously not needed: one would naturally 
try to first see what happens at time and then switch to the next state, as 
is done with LTL procedures. To tackle this problem we just need to change 
the translation by "inverting the time": i.e. the index will be interpreted as 
the last instant of the period and the index n as its first instant. Concretely, in 
Definition I50[ we just rewrite every index i — 1 into i, every index i into i + 1, 
every index into n, and every index n into 0. Experiments with this translation 
indeed confirm that conjectures are refuted faster using this new translation. 

Remark 55. The translation given here might remind the reader of bounded 
model checking (BMC) |BCC+03| . A very important difference however is that 
our reduction is complete, which is of course not the case of BMC. Indeed, the 
whole point of schemata is to reason about an infinite family of propositional 
formulae without having to instantiate the parameter. Our translation could of 
course be used for BMC, simply by instantiating the parameter with succes- 
sive natural numbers. However the converse does not hold: not every translation 
found in BMC could fit instead of Definition [50l since the result must respect 
the syntactical criteria ensuring decidability of the satisfiability problem. For 
instance, renaming sub-formulae by propositional variables is just an optimiza- 
tion in the case of BMC whereas in our case, it is needed since, otherwise, the 
resulting schema would not be sequential (and not even regular). Completeness 
is an important problem in BMC which is usually tackled with notions like com- 
pleteness thresholds and recurrence diameter [BCC+03| or induction |SSSOO| . 
Thorough analysis of how schemata procedures handle the above translation 
could give new ideas in order to get completeness for BMC. 

6 Implementation 



The implementations of both translations are available at http : //membres-liglab. imag. f r/aravEintinos/Si 

Some preliminary experiments have been achieved on a few benchmarks: stan- 
dard schemata examples provided with RegSTAB [ACPlOc] have been translated 
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to LTL (note that the examples have been slightly modified in order to fit the con- 
straints of SPS) and standard LTL pattern formulae [RV07) have been translated 

to SPS. The performance of RegSxAB and pltl (http : //users . cecs . anu. edu. au/~rpg/ software .html) 

have been compared on both benchmarks. In both cases, pltl clearly outper- 
formed RegSxAB. We see two reasons to this: 



— RegSxAB deals with regular schemata, which are more general than SPS. In 
particular, the decision procedure for such schemata requires the detection 
and elimination of pure literals (an adaptation of the "Affirmative-negative 
rule" of |DP60| ). which is well-known to be a huge time-consuming task (and 
this is even more the case for schemata since we have to deal with a symbolic 
notion of pure literal). This auxiliary procedure is needed for termination, 
and is mainly a consequence of the "non-local" aspect of schemata. 

— With LTL procedures, given a formula (f), one knows in advance all the 
formulae that will occur in the deduction process: all of them belong to 
the closure of (j> (merely the set of all subformulae of (j>, closed by negation 
and unfolding of temporal formulae); this permits the use of efficient data 
structures to represent sets of formulae, e.g. pltl uses bitsets. This is not 
the case of SPS (and even more regular schemata), e.g. refuting a schema 
containing AlLoPi potentially leads to the introduction of pn, Pn-i, 

etc. By termination for regular schemata |ACP09| . this enumeration is finite 
but one does not know in advance how far it has to go. Hence the data 
structures used in RegSxAB are much heavier: e.g. we use balanced trees for 
sets of formulae. Thus, for big examples, the memory is easily saturated and 
RegSxAB spends much of its time in its handling which was absolutely not 
the case of pltl. 

The most important reason seems to be the second one. It can actually be tackled 
in order to improve RegSxAB performance: we can syntactically extract from the 
input schema a bound for the above enumeration pn, Pn-i, Pn-2, ■ ■ ■ by analysis 
of the termination proof for regular schemata. Implementing this technique is 
ongoing work. 

Yet, there are examples where RegSxAB did better than pltl. Consider 
{pi Qn+i) A pi A ^gn-i-i A (j) where (j) is any formula involving some itera- 
tions. This schema is immediately refuted by RegSxAB, but the bigger (j) is, the 
longer it takes for pltl to refute the corresponding LTL formula. Of course, this 
example was devised to emphasize one of the strengths of RegSxAB: contrarily to 
LTL procedures in general, and to pltl in particular, reasoning about schemata 
is global, i.e. RegSxAB may reason simultaneously on propositions containing 
various symbolic indices. In contrast, pltl will analyse the formula (p and the 
contradiction will appear only at the end of the construction (i.e. by "discov- 
ering" eventually that t = n cannot hold at any state, since it would allow to 
derive a contradiction). 



26 



Vincent Aravantinos, Ricardo Caferra, Nicolas Peltier 



7 Discussion 

7.1 Pros and cons of each logic 

Since LTL and SPS are equivalent w.r.t. satisfiability, one may wonder which to 
favour. There are two major differences between LTL and schemata: 

— LTL default interpretations are infinite whereas those of schemata are finite; 

— LTL refers to states in an anonymous way, whereas schemata name them. 

These differences provide us with clear criteria for choosing one logic or the other 
in different situations: to specify an infinite behaviour, one would naturally use 
LTL, whereas classes of structurally similar finite behaviours are more naturally 
specified with schemata. Unsurprisingly, the specification of temporal behaviours 
falls of course in the first category. But, e.g., the specification of a circuit inde- 
pendently of the number of bits of its input falls in the second category. Consider 
for instance the specification of a ripple-carry adder: 

n 

/\((si ^ {x; © y,) © Ci) A (ci+i ^ {xi A y,) V {y, A q) V {x; A q))) A -Cq 
i=o 

where xq, ■ ■ ■ , x^ and j/Oi ■ • ■ i 2/n are the input bit vectors of size n; sq, . . . , 
Sp is the output bit vector and co, . . . , Cp is the carry vector. Here the indices 
indeed correspond to the time in a concrete sequential circuit. However, from a 
specification point of view, those indices are just an abstract way to represent a 
generic scheme of circuits. Consequently, the schema syntax seems better suited 
to this case (notice furthermore that it is very intuitive). 

Similarly, the choice between a named or an anonymous representation of 
states depends on the situation. The X connective is well suited to express 
properties in a local way, since there is no need to explicitly use an index to 
refer to the current or the next state. The U connective is also far more in- 
tuitive than its translation to SPS to refer to some instant satisfying some 
property in the future. On the other hand, in order to refer to an identified 
instant of the future, one needs to refer to it by giving it a name, which is easily 
done with the schema syntax thanks to arithmetic. Consider e.g. the example 
Po^A'\=oiPi =^ Pi+i)/\~'Pn translated as p A G(t < n ^p=^Xp)AG{t = n => -ip) 
(plus the necessary axioms 0^^" AAxt=n) in LTL. One can even specify behaviours 
after that time (but this goes beyond sequential schemata [ACPllj ). e.g. one can 

write po /\ /\"^q{P] ^ Pi+i) /\ /\\2ni^Pi+i ^ ~'Pi)A-'P2n- It seems improbable that 
such a property would be useful in a temporal context, but this could be used 
to specify planning problems with some predefined strategy e.g. if one wants to 
allow some set of actions in a first phase of a planning problem and then another 
set in some other phase of this problem. 

7.2 Behaviour of [.J w.r.t. LTL decision procedures 

We now analyse informally how the standard multi-pass tableau procedure of 
[Wol85) (called LTL-tab from now on) behaves on a translated schema. Consider 
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the example po A /\"^q{p\ ^ Pi+i) A -ipn and its translation p A G(t < n =4> p 
Xp) A G(t = n ^ -ip) A A Axt=J3. We do not present a detailed tableau, 
instead we just sketch its construction by focusing on the most relevant branches 
(the following requires some knowledge of LTL-tab, see [Wol85j otherwise). 

When applying LTL-tab, the rule for the U connective applies on (p^^" (i.e. 
(t < n)UG(^t < n)) and generates one branch where G(-it < n) holds and one 
branch where t < n and X((t < n)UG(^t < n)) hold. Intuitively, the first one 
corresponds to the case n = (since it states that -i(t < n) always holds from the 
initial state till w) while the second one corresponds to n > (since t < n holds 
at the initial state). In the first case, LTL-TAB easily finds a contradiction using 
mostly propositional reasoning (-it < n entails t = n thanks to Axt=n, and t = n 
entails -^p with G(t = n ^p), thus yielding a contradiction). In the second 
case, since t < n holds, one easily obtain Xp by propositional reasoning with 
t < n p => Xp. Then the decomposition of Axt=n yields G(t < n A^X(t < n) <^ 
X(t = n)). By application of the rule for G, one immediately gets the formula 
t < n A -iX(t < n) <^=> X(t = n), and we then get two non-closed branches: one 
where ^X(t < n) and X(t = n) hold (call this state "1"), and one where X(t < n) 
and -iX(t = n) hold ("2"). At the next state, we thus have two branches: one 
where -it < n and t = n hold, and one where t < n and ^t = n hold. The first 
branch means that the instant corresponding to n has been reached and is easily 
closed similarly to the base case (actually, up to some formulae that only occur 
in the initial formula, this state is the same as the one corresponding to n = 0). 
The second branch means that n has still not been reached, thus we can go to the 
next state without encountering a contradiction. This is easily seen to lead either 
to state "1" or "2", hence the construction of the tableau terminates. Since "2" is 
closed the only non closed branch is the one that indefinitely loops on "1". But 
this loop is closed in the second pass because the eventuality (t < n)UG(^t < n) 
is never satisfied. 

To sum up, the construction of this tableau follows quite faithfully a proof by 
induction on the parameter n. The axioms (f)^^" and Axt=n contain the arithmetic 
content that drive the induction, while [sj ^^.^^ contains the purely propositional 
content. Since LTL has to deal with infinite interpretations the induction is not 
well-founded in general (this is of course a wanted feature of LTL in order to deal 
with coinductive specifications). But the axiom c/)*^" introduces the eventuality 
(t < n)UG(^t < n) which enforces a well-founded induction. Notice that [.J can 
be modified so that (j)^^" be the only eventuality occurring in the resulting for- 
mula. Indeed, in its current state, the translation may introduce eventualities in 
two ways: either by negating an iteration /\"^q s, or by negating an atom of the 
formpn+fe- In the first case, the negation is equivalent to V!Lo^ "'•^ which can easily 
be simulated by the proposition with the axiom -igo A A!Lo^ ^i+i ^ I')- 

In the second case the translation of ^Pn+fc is ^G(t = n ^ X'^p). But, as al- 
ready encountered in Example |3S1 this is equivalent to G(t = n => X'^^p) since 



* Notice that this translation has been simplified since we use G(t = n -ip) instead 
of -iG(t = n ^ p). 
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t = n holds at only one instant. Consequently one can get rid of those artificial 
eventualities as follows: 

— put the schema in negation normal form (this introduces _L, disjunctions and 
iterated disjunctions); 

— delete every iterated disjunction by replacing it with a proposition qn axiom- 
atized as above; 

— apply the translation (which is straightforwardly extended to _L and disjunc- 
tion) by handling the case -^Pn+k as above. 

This is interesting since it makes the second pass much easier to handle. Fur- 
thermore it shows clearly that the overall proof is indeed an inductive proof, 
obtained from a coinductive proof by discarding the ill-founded branch in the 
second pass. 

Proof procedures for schemata are defined by combining usual prepositional 
procedures and inductive reasoning. This inductive reasoning is performed by a 
loop detection during the construction of the tableau. For instance Stab [ACP09j 
is defined by extending semantic tableaux. The reader acquainted with Stab 
may have noticed that the tableau we just sketched looks quite similar to the 
one that would be obtained with Stab for the corresponding schema. This is 
mainly a matter of strategy since we oriented the construction in a way to make 
it understandable from a "schema point of view". There are many other tableaux 
that would have differed from the one obtained with Stab. The main differences 
between LTL-tab and Stab are the following: 

— Arithmetic is handled natively in Stab; 

— In LTL-tab, termination is ensured by identifying nodes with the same 
labels, whereas this is not sufficient, in Stab, to ensure termination: a dedi- 
cated cycle relation must be defined (e.g. there is a cycle between /\"Zq s and 
AiLo^)- This is obviously not an essential difference, which is only related 
to the way schemata are represented and stored in the nodes; 

— In LTL-TAB, an artificial branch corresponding to an ill-founded derivation 
is discarded in the second phase, whereas in Stab the cycle relation embeds 
a (strict) ordering which ensures the well-foundedness of the derivation (e.g. 
/\"^Q s cannot loop on itself). Consequently Stab does not require a second 
phase. 

— In LTL-TAB, the reasoning is purely local, i.e. only formulae that are true at 
the current state are derived. In contrast. Stab may reason simultaneously 
on propositions containing various symbolic indices. This is related to the 
fact that schemata handles time in a symbolic way and it explains why, as 
mentioned in Section[51 pltl performed so bad on {pi (7n+i)Api A^(7n-i-iA<?!) 
where (pis a, big formula involving some iterations. In contrast LTL-tab (and 
pltl) analyses the formula (j) and the contradiction appears only at the end 
of the construction (i.e. by "discovering" eventually that t = n cannot hold 
at any state, since it would allow to derive a contradiction). 
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7.3 Behaviour of [.] w.r.t. SPS decision procedures 

Conversely, we can consider an LTL formula and apply Stab on . For 
instance, take the unsatisfiable LTL formula Xp A -iXp. The translation 
is then the conjunction of the following schemata (we use the optimizations 
mentioned at the end of Section [5]): 

|XpL a |x-p|„ 

n-l 

/\i\Xp\.^,<^p;) 
i=0 

n-l 

|Xp|o ^ (0 = fc ^ po) A /\ (i + 1 ^ A: ^ pi+i) 

n-l 

f\{\X^p\.^,^\X^p\.) 
i=o 

n-l 

|X^p|o ^ (0 = fc ^po) A + 1 = k => ^pi+i) 
^pfXn <^ n = k 

n-l 

f\ (p£x| A -ipfx| 4^\^k) 

i=0 

-.pfXg 

n-l 

/\(pfXi ^ pfXi+i) 
i=0 

It is immediately noticed that, even though the transformation is linear, the lin- 
ear coefficient is very big: a very simple LTL formula is turned into a complicated 
schema. 

We just sketch the resulting tableau. As explained in the previous section, the 
general idea of Stab is to refute a formula by induction on the parameter n. In 
the context of [.] , n represents the length of a UP interpretation. Consequently 
Stab shows that every UP interpretation falsifies the formula, by induction on 
n. Such an approach is obviously original, but a priori not natural from an LTL 
point of view. The general scheme of the proof may be divided into three cases 
as follows (see Fig. [7]): either the interpretation has only one state (looping 
on itself), or it has more than one state. In the first case, there are finitely 
many interpretations, so the proof is easily achieved (simply by a tableaux-like 
enumeration of interpretations). In the second case, we encounter two more cases, 
depending on the position of the prefix index: it can either coincide with the first 
state, or with a state farther in the interpretation (formally, this corresponds to 
a simple case splitting on the propositional variable n = k). The reasoning in 
each case then depends on the formula itself. 
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Fig. 7. Proof by induction on the size of a UP interpretation 



It is particularly interesting to understand how we deal with eventualities: 
how does it happen that we do not need a second phase, similarly to LTL-tab? 
To answer this question, we can observe (again informally) how Stab behaves on 
the formula Gp A F->p. Notice that we can easily define a simplified translation 
for the connectives G and F with the following axioms: 



Axg/= Airo'(|G^li^l'/'liA|G(A|i+J 

A(|G<^|„^|</.|„AAi=o(i = fc^|G<^li)) 

A^f/= Ai="o(im^HiV|F</-li+,) 

A(|F.^ln^HnVAi=o(i = fc^|FVIi)) 
AA:=o(|F'<Al:^l<^l|Vr<^li+i) 
A(|F'<^L ^ l<^ln) 



where F' is a new connective which is to F what U' is to U. The case with only 
one state is easily handled. When there are more than one state, it is easily seen 
that the conjecture Gp A F-ip still holds at the next instant. Thus if the prefix 
index is above 1, then the induction hypothesis allows to conclude immediately. 
However when the prefix is empty, the induction hypothesis does not apply: 
we actually need to make a case splitting on the value of the variable F'^p: 
intuitively, this variable holds iff there is some instant before n s.t. -p holds. If 
this variable is assumed true, then we easily obtain a contradiction with Gp (by 
induction). If it is supposed false, then we get a contradiction with the (second 
conjunct of the) axiom of U which states that (jf)iU'(^2 must hold at time k (i.e. 
0, here), and this concludes the refutation. 

Let us now generalize the way eventualities are handled. At any moment, the 
procedure "stores" the fact that any eventuality occurring as a subformula of 
the original formula holds or not. This is stored in the corresponding "primed" 
subformula (i.e. it is true iff the eventuality holds). Then, if ever an eventuality 
does not hold at the end of the period, the second conjunct of the U axiom 
imposes that the eventuality held before that time, inside the period. If this 
was not the case, then the corresponding primed subformula is false, thus we 
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get a contradiction and this interpretation is discarded. On the contrary, if the 
eventuahty held before, then we found a model. 

The reader acquainted with the one-pass Schwendimann algorithm ("SA") 
for LTL [Sch98j might recognize this behaviour. Indeed this algorithm builds 
a tableau by maintaining in each state a set of unfulfilled eventualities. This 
can be seen as corresponding to the "primed eventualities" of our translation. 
The set of unfulfilled eventualities at a state can be retrieved simply as the set 
of primed eventualites that are false at that state. However, apart from those 
informal similarities, the procedures are quite different: 

— Stab builds explicitly a UP interpretation (that can be retrieved directly 
from a non closed branch of the resulting tableau) whereas SA just ensures 
that such an interpretation exists (which can be retrieved by loop lineariza- 
tion, see |Sch98) . proof of Theorem 28). This probably makes the outcome 
of SA more "understandable", since it is more compact. 

— In any branch, Stab considers all eventualities, whereas SA considers only 
the eventualities needed for the current branch. This makes probably SA 
more efficient than Stab since many useless situations are trivially discarded. 

— On the other hand, the fact that Stab considers all eventualities makes 
it possible to consider a looping in the whole tree. This is not the case of 
SA which imposes a looping in the current branch. This is precisely why 
the worst-case complexity of SA is bigger than the one of algorithms a la 
Wolper. Of course, an implementation of Stab can still impose loopings to 
occur only in the current branch which thus makes available both possibilities 
to Stab. Consequently, an advantage of Stab is that it allows for a one-pass 
algorithm, while preserving an exponential time complexity. 

— The trade-off is that Stab makes some redundant computations: for instance, 
the procedure needs to "decide" in advance if a node is the start of the UP 
interpretation's loop, thus leading to two different branches sharing many 
inferences. With SA, the inferences are just made irrespective of whether 
the node will be the start of the loop or not, and then the loop detection 
is handled by the algorithm itself. Similarly the fact that the semantics are 
encoded in the translation makes Stab consider some cases that would be 
automatically discarded by SA. 

8 Model checking safety properties with schemata: an 
example 

With the translation given in Section [SJ and classical results of reduction from 
satisfiability to model checking [SC85 RV07| . one can of course use schemata 
to model check LTL formulae. However if we restrict ourselves to n.n.f. LTL 
formulae whose only temporal operators are X and G, we can obtain a much 
simpler translation into schemata. Such formulae are of interest since they can 
in particular model safety properties, i.e. formulae of the form Gip where tjj is a 
purely propositional formula. Suppose we have a transition system T and want 
to check if it is a model of cj). We first recall those notions: 



32 



Vincent Aravantinos, Ricardo Caferra, Nicolas Peltier 



Definition 56. A transition system is the triple of a set of states S, a set of 
actions A, and a transition function d : S x A S. A (finite or infinite) path 
is a sequence of states which respects the transition function. 

An interpreted transition system is the pair of a transition system and a 
labelling function I : S 2^ , where V is a finite set of prepositional variables. 
As usual a computation is a sequence of subsets ofV corresponding to some path 
of the transition system. For a given path tt, we write 1{'k) for its corresponding 
computation. 

An infinite computation can obviously be seen as an LTL interpretation (in 
the sense of Definitions^. Then an interpreted transition system (T, I) is a model 
of an LTL formula (p iff every infinite computation in (T, I) is a model of (j). 

We now show on an example how we can model check a transition system against 
a formula using schemata. We do not provide any formalisation since the example 
can easily be generalized. Consider the interpreted transition system T repre- 
sented on Figure [8l We can represent the behaviour of T on all finite paths with 



{P,<l,-'r} 




{p,^q,-r} 



Fig. 8. A transition system T 



a schema. 

First we model the sole structure of the system, i.e. the uninterpreted transi- 
tion system. The indexed proposition state;^ (resp. statep, statef ) means we are 
in state 1 (resp. 2, 3) at time i, and action? (resp. action^') means that the action 
taken at time i is a (resp. b): 



state 


^ A action? = 




state 


^ A actionf = 


» statef,^;^ 


state 


^ A action!" = 


^ statef^_j 


state 


^ A actionf = 


Stjcltj6j_|_-|^ 


state 


' A action? = 


4> state?^^ 


state 


^ A actionf = 


> stateiYi 
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Now the label of each state is easily modelled by the following schema: 

statej-^ Pi A g; A 
state^ -ipi A 9i A Ti 
statef => Pi A ^q; A n 

where p\ (resp. r\) means that p (resp. q, r) holds at time i. Finally we also 
have to specify the fact that, at each instant i, there is one and only state active, 
and one and only one action can be taken 0: 



statCj^ 


<i=5> 


-istatep 


A 


-istatef 


state? 




-istate;'^ 


A 


-istatef 


statef 


<^ 


-istate;'^ 


A 


-istatef 



action" <^ -lactionj' 

We write st for the conjunction of all those schemata, all wrapped under a single 
Ah=o- * i^'^t precisely an SPS since the upper bound of this iteration is n and 
not n — 1. But this is easily circumvented (s is regular anyway). 

Now if we want to check this model against the formula G{p\/q), we first 
translate this formula into a schema: [G(pVg)] = AiLo(Pi V(?i). If the transition 
system is indeed a model of G(pV(?), then s Ah=o(Pi must be valid (which 
intuitively means that for every n G N and every path of length n, the property 
py q holds all along the path). Equivalently, it is a model iff s A ViLo(~'?'i ^ 
is unsatisfiable (which means that there exists n G N and a path of length n s.t. 
the property pV q does not hold at one state of the path) . We can thus use any 
regular schema SAT-solver (like RegSxAB) to check if this formula is satisfiable 
or not. 

9 Conclusion and future work 

LTL formulae and the so-called sequential propositional schemata have been 
shown to be reducible to each other in polynomial time (exponential time when 
numbers are encoded in binary). This entails that the satisfiability of SPS is 
PSPACE-complete. Both those results are new. The reduction of SPS to LTL is 
not so surprising, and the converse reduction makes use of the well-known fact 
that the infinite semantics of LTL can be finitely represented. This remark illus- 
trates one of the two major differences between LTL and schemata: whereas the 
semantics of LTL are infinite, those of schemata are finite. The other difference 
is that schemata allow to refer to a time in the future in a symbolic way (using 
the parameter n) and to use arithmetic operations to construct time expressions. 
If these operations are sufficiently simple, they can be encoded in LTL formulae 
as shown in Section 21 On the other hand, LTL allows for a much handier way 
to deal with time in a purely local way. 

^ It is actually useless to ensure explicitly the unicity of actions since this is entailed 
by the unicity of states. 
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Future work. Using the above translations to help export procedures from 
one logic to another is an obvious follow-up of this work (in particular, Dpll 
inspired procedures for schemata could help defining such a procedure for LTL). 
Similarly, as explained in Remark 1551 investigating how model checking is done 
by translation to schemata could give ideas to define new completeness cri- 
teria for bounded model checking. The extension of the presented results to 
other classes of schemata could also be considered, e.g. schemata with nested 
iterations (proved decidable in |ACP10a|ACPll) ). Translation algorithms from 
nested schemata into sequential ones exist jACPll| , however they are of double 
exponential complexity. Thus we conjecture that no polynomial-time transfor- 
mation from nested schemata to LTL exists. The extension of this study to 
other - more expressive - temporal logics could also be of interest. Notably, LTL 
with past operators [LPZ85| seems to be easily handled with (non sequential) 
schemata simply by allowing negative numbers in indices. Since implementations 
for this logic do not have the same support as standard LTL and are generally 
not as efficient, such a reduction could help in improving those points. One could 
go even further by making connections between schemata and monadic second 
order logic (MSO). This would be interesting both in theo ry and pr actice, since 
few implementations are available for MSO (only MONA HJJ"'"95j seems to be 
actively maintained) . 
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